TECHNICAL ARTICLE

| Share on Twitter | Share on LinkedIn | Email

Functional Safety and Industry 4.0

Tom Meany Analog Devices, Inc.

IEC 61513 IEC 61131-6 Nuclear Sector Programmable Abstract Controllers Industry 4.0 offers a new vision for the factories of the future.

In these factories of the future, safety will be critical. Functional EN 50128 IEC 61800-5-2 safety addresses confidence that a piece of equipment will carry Railway IEC 61508 Variable Applications Speed Drives out its safety functionality when required to do so. It is an active form of safety in contrast to other forms of safety. Integrated circuits are fundamental in the implementation of functional safety IEC 61511 ISO 26262 IEC 62061 and, therefore, to Industry 4.0. This article explores the implica- Process Industry Automotive Machinery tions of functional safety for Industry 4.0. The implications include requirements for networks, security, robots/cobots, software, and Avionics Machinery Medical Home the semiconductors used to implement these features. D0178, D0254 ISO 13849 IEC 60601 IEC 60730

Figure 1. Sample of functional safety standards. Introduction The more basic concept in functional safety is that of a safety function. Functional safety is the part of safety that deals with confidence that a A safety function defines an operation that must be carried out to achieve system will carry out its safety related task when required to do so. For or maintain safety. A typical safety function contains an input subsystem, instance, that a motor will shut down quickly enough to prevent harm to a logic subsystem, and an output subsystem. Typically, this means that a an operator who opens a guard door or a robot that should operate at a potentially unsafe state is sensed, and something makes a decision on the reduced speed and force when a human is nearby. sensed values and, if deemed potentially hazardous, instructs an output subsystem to take the system to a defined safe state. Industry 4.0 is the next evolution of manufacturing plants promising increased flexibility and reduces costs. The time between the unsafe state existing to achieving a safe state is critical. A safety function might, for instance, consist of a sensor to detect This article will explore some of the implications of functional safety that a guard on a machine is open, a PLC to process the data, and a vari- for Industry 4.0. able speed drive with a safe torque off input that kills a motor before a hand inserted in a machine can reach the moving parts. Functional Safety A. Standards B. Safety Integrity Levels The basic functional safety standard is IEC 61508.1 The first revision of this SIL stands for safety integrity level and is a means to express the required standard was published in 1998, with revision two published in 2010 and risk reduction needed to reduce the risk to an acceptable level. According work beginning now to update to revision 3 for 2020. Since the first edition to IEC 61508, the safety levels are 1, 2, 3, and 4, with an order of magni- of IEC 61508 was published in 1998, the basic IEC 61508 standard has tude increase in safety requirements as you go from one level to the next. been adapted to suit fields such as automotive with ISO 26262,2 process SIL 4 is not seen in machinery and factory automation where generally no control with IEC61511,3 programmable logic controls with IEC61131-6,4 more than one person is typically exposed to a hazard. It is rather reserved machinery with IEC 62061,5 variable speed drives with IEC 61800-5-2,6 for applications like nuclear and rail where hundreds or even thousands of and many other areas. These other standards help interpret the very broad people can be hurt. There are also other functional safety standards such scope of IEC 61508 for these more limited fields. as automotive, which uses ASIL (automotive safety integrity levels) A, B, C, and D, and ISO 13849. Its performance levels A, B, C, D, and E can be An important parallel standard not derived from IEC 61508 is ISO 13849,7 mapped to the SIL 1 to SIL 3 scale. which covers machinery that is derived from the obsolete European EN 954 standard.

Visit analog.com 2 Functional Safety and Industry 4.0

System System In certain cases, systematic errors can be dealt with using diverse redun- Requirements Validation dancy. This is because diverse systems are unlikely to fail in the same way at the same time. The diagnostics inserted to deal with random failures Subsystem Subsystem Requirements Validation are also useful to detect systematic failures.

Element Element Much of the effort involves system engineering and good engineering Requirements Validation practice. The expression used in some documents is “state of the art.” Documentation is vital and being able to prove safety was achieved is Hardware Hardware Specifications Software almost as important as achieving safety. Software Integration Specifications Hardware Hardware Industry 4.0 Architecture Integration 8 Software Software Industry 4.0 is known by other names, including Industrie 4.0, Industrial Hardware Architecture Intergration Hardware IoT (IIoT), made in China 2025, industry plus, smart factory, and others. Design Test The 4.0 in the name represents the claims that it represents the fourth Software Software Hardware Design Test Hardware industrial revolution following the third revolution from around 1970, Implementation Unit Test when the widespread usage of electronics and IT began in automation. Software Software Implementation Unit Test While IoT for industry is a common topic in articles, conferences, and marketing efforts, it still lacks the killer application to bolster its adoption. Figure 2. Example V model for a system-level design. Possible killer applications include predictive failure, adaptive diagnostics, C. Sources of Failure and condition-based maintenance. Functional safety standards generally recognize two types of failures and A key idea in Industry 4.0 is that of cyber-physical systems (CPS). A CPS then propose the means to address them. consists of “smart machines, storage systems, and production facilities capable of autonomously exchanging information, triggering actions, and Random hardware failures are the easiest to understand in that they are controlling each other independently.”9 Put another way, everything is caused by, as the name suggests, random unexpected failures in equip- intelligent, instrumented, and interconnected. This definition has implica- ment. The probability of failure due to random failures is expressed as the tions for networking and security among other concerns. PFH (average frequency of dangerous failure) for the system. The allowed PFH depends on the required SIL and ranges from 10–5/h for SIL 1 to a The key design principles of Industry 4.0 include minimum of 10–7/h for SIL 3. XX Interoperability—everything is linked Systematic failures are those inherent in a design, in the sense that they XX Virtualization—plant and simulation models available can only be fixed by a design change. Insufficient EMC robustness can be considered a systematic error, as can deficiencies in requirements, XX Decentralization—local intelligence insufficient verification and validation, and all software errors. Systematic XX Real-time capability—respond to the real world in real time errors are effectively weaknesses that exist in every item produced rather XX Service orientation—services available via the internet than being present in individual units. If the right set of circumstances XX Modularity—reconfigurable as required arise, the failure will occur with 100% probability. With sensor fusion and data analytics, new insights will be gained, includ- To be suitable for use in a situation requiring a SIL X safety function, both ing preventative maintenance based on diagnostics gathered from smart the random and systematic requirements given in the standard for that instruments and its analysis in the cloud. Comparison of aging between SIL level must be met. Compliance to the hardware requirements alone systems can also allow for the switching in of redundant items to increase is not sufficient. productivity. Machine health will be a key concern.

D. Dealing with Random Failures A. Networking No matter how reliable the equipment, everything has a finite chance of Older systems tended to use isolated islands of automation—typically failing in any given hour. Techniques to combat random hardware failures using proprietary networks. Analog networking based on 4 mA to 20 mA include diagnostic coverage requirements and the use of redundancy. circuits was and is still common and has many benefits including EMC Depending on the SIL level for the safety function, there will be a minimum robustness, a range up to 3 km, and it is intrinsically safe and synchronized PFH or PFD (probability of failure on demand). Also, depending on the SIL, but is not flexible or fast enough for Industry 4.0. there will be a minimum required SFF (safe failure fraction) ranging from 60% to 99% as the SIL increases from SIL 1 to SIL 3. The standard allows With Industry 4.0, the desire is to have everything connected and talking a trade-off to be made between the diagnostics and the redundancy pres- to everything else. Common terms include M2M (machine to machine) and ent in a system. Other techniques involve derating and the use of better P2M (process to machine). The connectivity can then be exploited to quality components. XX Increase manufacturing efficiency E. Dealing with Systematic Failures XX Increase manufacturing flexibility Systematic failures are failures not related to a random hardware failure XX Increase operational knowledge and can require a design change to avoid the failure. XX Drive down production costs Systematic failures are addressed by following a rigorous development Ethernet-based connectivity solutions are well placed to address the process with independent reviews of the various work products. The process above requirements, but the safety and security requirements of such is often represented in V models of varying complexity. The required rigor of networks need to be addressed. With the new efficiencies, new services the reviews and the required independence of the reviewers increases will become cost-effective. with the SIL level. Visit analog.com 3

B. Security is therefore safety related. IEC 61508 refers to IEC 61784-3, a fieldbus With the use of digital networks, security becomes an issue. Recent cas- standard, for the functional safety requirements. These will include mea- sures to deal with random and systematic error sources. es highlighted in film (for example, Zero Days) and the media include the Stuxnet and black energy viruses. If the network extends out into the cloud, A commonly accepted error budget for the allocation of the maximum then hacking one cloud provider could bring down many factories, whereas allowed probability of failure per hour is shown in Table 1. Refinements previously they would have to be hacked one at a time. This economy of of this model often show 1% of the budget allocated to each of the scale makes them a much more attractive proposition for hackers. Some interfaces shown in red. If the safety function is SIL 3, then the maximum pundits have even claimed IoT really stands for “Internet of Threats.” allowed PFH is 10–7/h, so the 1% allocation to the interfaces is 10–9/h. IT security requirements are not generally suitable for application to In total, the hazards related to communications that must be considered are industrial networks. IT security has several behaviors, including frequent shown in Table 1, which is contained in standards including IEC 61784, 11 software updates that are not suitable for manufacturing, where software EN 50159, and IEC 62280. changes are frowned upon due to the risk of unintended consequences Each row in Table 1 must be addressed by at least one of the defenses. stopping production. This abhorrence to change is even stronger when Further elaboration on the defenses is given in IEC 61784-39 and IEC safety is involved due to the high cost of certifying functional safety 62280-1/EN 50159.12 For instance, corruption might be dealt with by the systems and the required change management processes. use of a CRC with a Hamming distance dependent on the expected BER (bit error rate), SIL requirement, and number of bits transmitted per hour. The proposed international consensus standard covering security require- ments for industrial control is IEC 62443. IEC 6244310 covers the design, The requirements are further complicated by the fact that in an industrial implementation, and management of IACS (industrial automation and environment, it is considered very advantageous if safety and nonsafety control systems). data can be communicated on the same network. IEC 61508-2:2010 offers two options. Option 1) is the white channel C. Robots and Cobots approach, where the entire communication channel is developed to IEC Robots used to be big scary machines that lived in cages. Cobots or col- 61508. Option 2) is the black channel approach, whereby no assumptions laborative robots are much less scary and take care not to hurt people. are made on the performance of the communications channel and safety They are a fusion of sensors and software with no need to be separated is dealt with by a special layer in each safety device. This safety layer from human workers. Cobots in an industrial environment could consist addresses the threats from Figure 2 with a set of defenses. These defenses of an arm or pair of arms, such as the UR5 series from Universal Robots are in addition to any defenses within the underlying fieldbus standard and or ABB’s YuMi®. In the factory of the future, cobots will assist the human might, for instance, include another CRC to detect bit corruption in addition operator and even know whether the person they are working with is right to the CRC within the underlying communications protocol. The black chan- or left handed. nel approach is by far the more common. One example is PROFIsafe, which is a safety layer that sits on top of either PROFIBUS® or PROFINET®. Sensor E/E/PES Actuator Functional Safety and Security 35% 15% 50% It is interesting that in many languages there is only one word for security Figure 3. Error budget for a typical safety system. and safety. However, in the industrial context, they both cover a different set of concerns that are sometimes in conflict. One definition of safety is AGV (automated guided vehicles) are mobile robots and could be considered that it prevents harm due to unintentional actions, while the correspond- a special kind of cobot. They provide an essential element for Industry 4.0 ing definition of security is that it prevents harm due to intentional actions. by moving product and materials around the manufacturing floor. Commonalities between the two include the fact that safety and security need to be considered at the architecture level. Otherwise they are very As new hazards arrive because of the dynamic environment, they must difficult to add in afterward. But the two conflict because the typical safety be addressed. For both cobots and AGV, the options are 1) to develop an reaction to an unexpected event is to shut the system down—a feature inherently safe system because the forces are sufficiently low that no that hackers can exploit through denial of service attacks, and which serious harm can occur, or 2) to engineer a solution based on the relevant security is meant to protect against. Security features typically include functional safety standards. For AGV, collision avoidance can be based on passwords for authentication, but do you really want to slow down a vision, radar, lasers, or tracks embedded in the floor. safety reaction while somebody types in a password or lock the safety guy Functional Safety and Networking out if the password is entered wrong three times? A functional safety system typically consists of sensor, logic, and output Revision two of IEC 61508 from 2010 contains almost no security require- subsystems. The three elements combine to implement a safety function ments. It does state that security must be considered and references the as and it is to the safety function as a whole that the SIL level, PFH, SFF, and of yet unreleased IEC 62443 series for guidance. In addition, there are spe- HFT requirements apply. The communication between these subsystems cific standards currently being written to address the relationship between functional safety and security in the machinery and nuclear domains. Table 1. Threats and Defenses in a Network Defenses Source and Destination Feedback Identification Cryptographic Threats Sequence Number Time Stamp Time Out Safety Code Identifiers Message Procedure Techniques Repetition Deletion Insertion Re-Sequence Corruption Delay Masquerade 4 Functional Safety and Industry 4.0

Similar to the SIL levels within IEC 61508, IEC 62443 defines SL (security to judge the probability of this, and some functional safety standards state level) where the levels are also 1 to 4. A system that meets SL 1 might be the probability should be considered as 100%.15 However, while it seems secure to a casual bystander, whereas a system that meets SL 4 might be reasonable that a 99.99% bug free program will normally not cause a secure to hacking attempts by state sponsored bodies. However, there is safety problem, a hacker will try to ensure that the 0.01% instance is no direct mapping from SIL to SL. always encountered. Therefore, the elimination of systematic errors is as important for security as for functional safety. However, it is true that IEC 62443 identifies seven fundamental requirements (FR) with IEC 100% perfect safety related software could have gross security issues. 62443-4-2 to give guidance on what is required for each FR to achieve a given SL. The seven FR are: In the past, the use of software was not allowed in safety systems as it was deemed inherently untestable due to the number of different states XX Identification and authentication control (IAC) it presents. The new standards offer a life cycle model that, if followed, XX Use control (UC) allow a claim for safety to be made because the techniques advocated in XX System integrity (SI) those standards have been shown to produce safe systems in the past. Software is inherently attractive because it allows a general-purpose XX Data confidentiality( DC) machine to be transformed into a very specific machine. However, this XX Restricted data flow (RDF) flexibility is also one of its weaknesses. XX Timely response to events (TRE) Documents such as ESDA-31216 show that many of the techniques from XX Resource availability (RA) IEC 61508 can be used to meet industrial security requirements. Following SL 1 can then be represented as a security vector (1, 1, 1, 1, 1, 1, 1) such a process leaves a paper trail of work products that can be used to where each item in the vector corresponds to one of the seven FR. Given demonstrate that safety has been achieved. that SL 1 represents casual attacks, that would seem the minimum These techniques include doing design reviews, having a coding standard, requirement for a safety application where foreseeable misuse must be planning the use of tools, verification at the unit level, requirements considered.13 It can be argued that a suitable vector for safety applications traceability, independent verification, and assessment. While software 13 with a SIL > 1 is (N1, N2, N3, 1, 1, N6, 1), where it is recognized that data does not wear out, the hardware on which it runs can fail and the software confidentiality, restricted data flow, and availability are of limited concern needs to take care of this. For machines and robots, the use of redundant in industrial functional safety applications. However, there is no clear cor- architectures such as Cat 3 or Cat 4 from ISO 13849 reduces the need

relation between the values for N1, N2, N3, and N6 depending on whether to implement diagnostics at the IC level, but does raise the requirement the SIL level is 2, 3, or 4. to have diverse software. A key point to remember is that while not all security systems have func- tional safety requirements, security needs to be considered for all safety Functional Safety and Integrated Circuits related systems. Integrated circuits (ICs) are vital to smart systems. ICs can provide the means to track the items in a container rather than the container itself, Functional Safety and Robots track the position of robot arms rather than just the entire robot, track ISO 1021814 is the standard covering the safety requirements for the health of even low value machines, and process data so that what industrial robots including cobots. It covers safe stopping, teaching, is transmitted into the cloud is information rather than data. New motor speed, and separation monitoring, along with power and force limit- control ICs can increase motor efficiencies and extend battery life. ing. ISO 10218-1:2011 clause 5.4.2 requires that safety-related parts of ICs provide the brains and, especially out at the edge, the intelligence the control system be designed to comply with PL = D Category 3 as needs to be compact and low power. They also provide sensor technology; described in ISO 13849-1:2006 or SIL 2 with a HFT (hardware fault toler- for instance, using radar, laser, magnetic, camera, or ultrasonic tech- ance) of 1 as described in IEC 62061:2005. In effect, this means at least niques. They can measure speed and position, and with new technologies a 2-channel safety system with diagnostic coverage of at least 60% for such as AMR (anisotropic magnetoresistance), sensors can determine each channel. Both standards (ISO 13849 and IEC 62061) defer to speed and position without external mechanical components. ICs implement IEC 61508-3 for software requirements. both the physical interface and the MAC (media access control) layers in AGV are not well addressed in ISO 10218, and while driverless cars are networks. With wireless communication, this implementation can all be addressed in the automotive standard, ISO 26262, the industrial usage done on an IC. is a special case of automotive given its far more restricted scope. The Similarly, integrated circuits can support security with PUF (physically machinery directive scope includes AGV and, given the lack of a specific unclonable functions), cryptographic accelerators, and tamper detec- standard, the requirements of the generic IEC 61508 standard will apply. tion mechanisms. Given the level of integration now possible, what used to be system-level requirements in many cases have become IC level requirements. General-Purpose + Software = Special Purpose Microcontroller Machine However, there is little enough on integrated circuits in the present indus- trial functional safety standards and even less in the security standards. Figure 4. Key benefit of software. For automotive, the draft of ISO 26262-11 planned for 2018 is an excel- While networking will likely be Ethernet-based for fixed robots, it will be lent resource and much of it is useful for integrated circuits intended for wireless for AVG, which will necessitate additional safety and security industrial applications also. In revision 2 of IEC 61508, an ASIC lifecycle requirements. model is presented that is almost identical to that for software. In fact, the argument as to whether HDL code such as Verilog is software or Functional Safety and Software just a representation of hardware is an interesting one. Annex E of IEC The detailed requirements to implement high quality software are mostly 61508-2:2010 deals with the requirements to claim on-chip redundancy the same regardless of whether you are dealing with safety or security. if using a single piece of silicon, but is limited to digital circuits only, and For instance, a software error by a programmer may lead to a system for the case of duplication, except it does not cover diverse redundancy failure if the right set of circumstances arise to expose the error. It is hard or analog and mixed-signal circuits. The informative Annex F of IEC Visit analog.com 5

61508-2:2010 is extremely useful as it gives a list of measures to be The available options include: taken during IC development to avoid introducing systematic errors. XX Develop the IC fully in compliance to IEC 61508 with an external The requirements are given for each SIL, but once again it is limited to assessment and safety manual digital circuits with no specific guidance on analog or mixed-signal ICs. XX The high level of integration available with an IC can be both a blessing Develop the IC in compliance to the IEC 61508 without external and a curse. Individual transistors on an IC are extremely reliable when assessment but with a safety manual compared to individual components, with the most unreliable aspect of an XX Develop the IC to the semiconductor companies standard development IC often being the pins. For instance, if the Siemens SN 29500 standard process but publish a safety data sheet is used for reliability prediction, then an IC with 500k transistors will have a FIT of 70, but this increases to only 80 if the number of transistors XX Develop the IC to the semiconductor companies standard process increases by a factor of 10 to 5 million. If instead two ICs, each with 500k Note—for parts not developed to IEC 61508, the safety manual may be transistors, are used, the FIT would be 70 for each, for a total of 140. called a safety data sheet or similar to avoid confusion. The content and The savings from 140 to 80 is before you also consider the savings in format in both cases will be similar. PCB area, PCB tracks, and external passives or that the on-chip anten- nas on an IC are so much smaller than on a PCB that EMI issues can be Option 1 is the most expensive option for the semiconductor manufacturer, reduced. The curse part of the equation is that with a complex IC, deter- but it also offers potentially the most benefit to the module or system mining the failure modes can be difficult. Simplicity is the friend of safety designer. Having such a component where the application shown in the and it is more likely that two separately packaged microcontroller would safety concept for the integrated circuits matches that of the system cuts be considered as simpler than an IC containing two microcontrollers. the risk of running into problems with the external assessment of the Annex E of IEC 61508-2:2010 gives some guidance. However, in claiming module or system. The extra design effort for a SIL 2 safety function can sufficient independence and in most safety standards, aβ (measure of be on the order of 20% or more. The extra effort would probably be higher, both channels failing at the same time for the same reason) of less than except that semiconductor manufacturers typically already imply a rigor- 10% is considered very good. ous development process even without functional safety. IC suppliers can help both their safety and security suppliers by supplying Option 2 saves the cost of external assessment, but otherwise the impact certified components, safety manuals, or safety data sheets for released is the same. This option can be suitable where customers are going to get parts, on-chip hardware accelerators, on-chip and off-chip diagnostics, and the module/system externally certified anyway and the integrated circuit ( the means to separate critical and noncritical software both safety and is a significant part of that system. security critical). These safety and security features need to be designed in from the start. Trying to add safety and security after the ICs are designed Option 3 is most suitable for already released integrated circuits where will lead to extra system complexity and additional components. the provision of the safety data sheet can give the module or system designer access to extra information that they need for the safety design There are several options for developing integrated circuits to be used in at the higher levels. This include information such as details of the actual functionally safe systems. There is no requirement in the standard to only use compliant integrated circuits, but rather the requirement is that the development process used, FIT data for the integrated circuit, details of module or system designers satisfy themselves that the chosen integrated any diagnostics, and evidence of ISO 9001 certification for the manufac- circuit is suitable for use in their system. Having an independently assessed turing sites. safety manual is one way to be satisfied, but not the only option.

System System Fault Control JTAG, SWD, Fault Control Security ™ Security Management Blocks CoreSight Trace Management Blocks

Event System PLL and Power Event System Control Watchdogs Management Control Watchdogs Peripherals

CRC

OCU Math Cortex-M0 Cortex-M4 Cordic 1× TWI/I2C SRAM Mailbox Flash SRAM 24× PWM

32 kB Up to Up to 8× Timer SRAM 1 MB 160 kB Flash SRAM 1× CAN

4× UART

Local Fabric 1× SPI Local Fabric 1× SPORT

Peripherals GPIO (59) Static GPIO (59) Memory System Fabric System Fabric Controller 8× Timer (ASYNC I/F)

1× CAN AFE AFE HW Enhance

4× UART HAE FFT

GPIO (14) ADCC0 ADCC1 DACC0 FOCP ADC1/ 1× SPI ADC0 DAC Sinc ADC2 LBA Filters

Figure 5. The ADSP-CM41x series from ADI with many safety and security features. Option 4 will, however, remain the most common way to develop inte- 6 IEC 61800-5-2 Adjustable Speed Electrical Power Drive Systems— grated circuits. Use of such components to develop safety modules or Part 5-2: Safety Requirements—Functional. International Electrotechnical systems will require additional components and expense for the module/ Commission, 2016. system design because the components will not have sufficient diagnostics 7 ISO 13849 All Parts, Safety of Machinery—Safety-Related Parts of Control requiring dual-channel architecture with comparison as opposed to single Systems. International Organization for Standardization, 2015. channel architectures. In addition, the diagnostic test intervals with such 8 components will generally be suboptimal and the availability less as it will “Recommendations of Implementing the Strategic Initiative Industrie 4.0: not be possible to identify which of the failing items has failed, which can Final Report of the Industrie 4.0 Working Group.” Forchungsunion and have an impact on availability. Without a safety data sheet, the module/ acatech, April 2013. system designer will also need to make conservative assumptions treat- 9 IEC 61784-3 Industrial Communication Networks—Profiles— Part 3: ing the integrated circuit as a black box. This may reduce the reliability Functional Safety Fieldbuses—General Rules and Profile Definitions. numbers that can be claimed. International Electrotechnical Commission, 2016. 10 To simplify implementing functional safety, IC manufacturers may wish to ISO/IEC 62443 All Parts, Security for Industrial Automation and develop their own interpretation of IEC 61508. At Analog Devices, there is Control Systems. an internal company specification, ADI61508, which is the interpretation 11 IEC 62880, Railway Applications—Communication, Signaling, and of IEC 61508 for an integrated circuit development. All seven parts of IEC Processing Systems—Part 1: Safety-Related Communication in Closed 61508 are then interpreted in one document with the bits of IEC 61508 not Transmission Systems. International Electrotechnical Commission, 2017. relevant to an integrated circuit omitted and the remaining bits interpreted 12 EN 50159, Railway Applications—Communication, Signaling, and for an integrated circuit. Processing Systems—Part 1: Safety-Related Communication In Closed No matter which system level standards apply, ICs are developed to Transmission Systems. European Committee for Electrotechnical IEC 61508 with the one exception being automotive, where ISO 26262 Standardization, September 2010. can be used to develop ICs and software for automotive applications. 13 Jens Braband. “What’s Security Level got to do with Safety Integrity Level?” 8th European Congress on Embedded Real-Time Software and Summary Systems (ERTS 2016), January 2016. Industrial in general and Industry 4.0 are well served by various func- 14 ISO 10218-1, Robots and Robotic Devices—Safety Requirements tional safety standards based on IEC 61508. These include standards for Industrial Robots—Part 1: Robots. International Organization for for software, hardware, networking, security, and robotics. However, the Standardization, 2011. information is currently spread across multiple standards, and Industry 15 Chris Hobbs. Embedded Software Systems For Safety Critical Systems. 4.0 has several unique features related to constant change that required Auerback Publications, October 2015. due to the flexibility needed by Industry 4.0. It may be that a single 16 ISA Security compliance institute—EDSA-312—Embedded Device focused standard for Industry 4.0 is warranted to simplify compliance Security Assurance—Software Development Security Assessment. using an interpretation of the basic safety standards for the new world. International Electrotechnical Commission, July, 2016. Perhaps this can be called “Safety 4.0” or “Smart safety”! Similarly, more IC-related information is required in the IEC 61508 standard to allow for sufficient safety to be demonstrated as well as achieved. Going forward, About the Author the opportunities and challenges before Industry 4.0 becomes a reality and a success will be interesting to behold. Tom is a 30-year veteran of Analog Devices and he holds a B.Eng. first class in electronics and an M.Sc. first class in applied Functional safety has a lot to offer Industry 4.0, not just because safety mathematics and computing. Tom is the holder of eight U.S. is an essential element of future factories, but also because functional patents and is a certified TÜV Rheinland functional safety engineer safety has the techniques to enable higher reliability, diagnostics, resil- in the area of machinery. Tom is a member of various IEC working ience, and redundancy. groups in the area of functional safety, including those related to IEC 61508-2, IEC 61508-3, and IEC 61800-5-2. He can be References reached at [email protected]. 1 IEC 61508 All Parts, Functional Safety of Electrical/Electronic/ Programmable Electronic Safety-Related Systems. International Electrotechnical Commission, 2010. 2 ISO 26262 All Parts, Road Vehicles Functional Safety. International Online Support Organization for Standardization 2011. Community 3 IEC 61511 All Parts, Functional Safety—Safety Instrumented Systems for Engage with the the Process Industry Sector. International Electrotechnical Commission, 2016. Analog Devices technology experts in our online support community. Ask your tough design questions, browse FAQs, 4 IEC 61131-6 Programmable Controllers—Part 6: Functional Safety. or join a conversation. International Electrotechnical Commission, 2012. 5 IEC 62061—Safety of Machinery—Functional Safety of Safety-Related Visit ez.analog.com Electrical, Electronic, and Programmable Electronic Control Systems. International Electrotechnical Commission, 2005.

Analog Devices, Inc. Analog Devices, Inc. Analog Devices, Inc. Analog Devices, Inc. ©2018 Analog Devices, Inc. All rights reserved. Trademarks and Worldwide Headquarters Europe Headquarters Japan Headquarters Asia Pacific Headquarters registered trademarks are the property of their respective owners. Ahead of What’s Possible is a trademark of Analog Devices. Analog Devices, Inc. Analog Devices GmbH Analog Devices, KK Analog Devices TA16602-0-3/18 One Technology Way Otl-Aicher-Str. 60-64 New Pier Takeshiba 5F, Sandhill Plaza P.O. Box 9106 80807 München South Tower Building 2290 Zuchongzhi Road analog.com Norwood, MA 02062-9106 Germany 1-16-1 Kaigan, Minato-ku, Zhangjiang Hi-Tech Park U.S.A. Tel: 49.89.76903.0 Tokyo, 105-6891 Pudong New District Tel: 781.329.4700 Fax: 49.89.76903.157 Japan Shanghai, China 201203 (800.262.5643, U.S.A. only) Tel: 813.5402.8200 Tel: 86.21.2320.8000 Fax: 781.461.3113 Fax: 813.5402.1064 Fax: 86.21.2320.8222